I. Overview

Oracle released its patch update notice for Q4 2021, disclosing multiple security vulnerabilities in its products, including four WebLogic-related vulnerabilities (CVE-2021-35617, CVE-2021-35620, CVE-2021-29425, and CVE-2021-35552). The risk of CVE-2021-35617 vulnerability is high. Attackers can construct malicious requests to remotely execute code.

If you are using WebLogic or other Oracle products, check your services and implement timely security hardening.

Reference: Oracle Critical Patch Update Advisory - October2021

This quarterly security update of Oracle involves 419 security vulnerabilities in Oracle Weblogic, Oracle Communications, Oracle Financial Services Applications, Oracle Insurance Applications, and Oracle MySQL. For details about the vulnerabilities, see the official website.

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. WebLogic Vulnerability Details

(Note: Vulnerabilities listed above are WebLogic vulnerabilities. For more information, refer to the official website of Oracle.)

IV. Affected Products and Components

Oracle Weblogic, Oracle Communications, Oracle Financial Services Applications, Oracle Insurance Applications, Oracle MySQL, and other products

V. Security Advisory

These vulnerabilities have been fixed in the official patch. Use a licensed account to log in to https://support.oracle.com and download the latest patch.

If you cannot install the patch in a timely manner, mitigate risks based on the repair suggestions provided by Oracle. Disable the network protocols or permissions that will probably be exploited by attacks.

The high-risk WebLogic vulnerability (CVE-2021-35617) can be mitigated by disabling the IIOP protocol.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.